In new firmware updates, Seagate is patching for three vulnerabilities (CVE-2015-2874, CVE-2015-2875 and CVE-2015-2876). Researchers from Tangible Security reported the vulnerabilities on March 28 to Seagate, which patched them on Sept. 1. According to Tangible Security, the flaws have been present in Seagate’s devices since October 2014. Among the flaws that Seagate is patching is a hard-coded administrative credentials issue (CVE-2015-2874). The hard-coded credentials included a default administrative account with the username and password of “root.”
To add further insult to injury, the hard-coded credentials were included in an undocumented component of the Seagate firmware that enabled Telnet services. Security experts widely regard Telnet as an insecure protocol that should not be used because it doesn’t encrypt data.